This story is from last year, but yeah, when you force everyone to use two-factor authentication, especially when it involves a physical device:
“Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.”
That works at Google, how many lawyers would be cool with needing to carry around a key-fob to login? I know some, who understand their duty to protect client data and work with some very security-minded clients. I’m sure a lot of others would just be put out by the extra step though.
Heck there are a lot of people across all industries who won’t even use 2FA with something like online banking or other sensitive websites, and that’s their own data. How can we truly expect them to feel the same way about their company’s or client’s data?
Still, this article shares an interesting data point in the fight against phishing, and the use of 2FA as well as some helpful information about these security keys. You may want to check it out.